WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.
WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:
Use a properly generated hash for the newbloguser key instead of a determinate substring.
Add escaping to the language attributes used on html elements.
Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Those of us who use PayPal enjoy it’s convenience and security but most of us forget about all those agreements we make with vendors.
After firing a vendor I logged into my account to remove any agreements I had with them. There were five!
I also began reviewing the ACTIVE agreements and was very surprised. I spent 15 minutes and canceled agreements with CompUSA an TigerDirect, for instance. It’s just a matter of time before someone snatches their customer data.
Google’s promising $159 Pixel Buds are now shipping to customers, and they do something no other wireless earphones do.
The Pixel Buds offer instant access to Google assistant and offer 5 hours of battery life, but the most intriguing feature is the eal-time translation of 40 different languages. With the feature, you’ll be able to speak to someone in a different language and rely on Google’s Translate to help you get the job done. But as Google’s own support page, and those who have tried out the feature, can attest, it’ll take some legwork to make it happen.
Here’s how to make Google’s real-time translation work with Pixel Buds:
For one thing, you’re going to need a first-generation Pixel or a Pixel 2 phone. All other handsets won’t allow for the real-time translation Google offers with its own line of smartphones. Additionally, you’ll need to have the Google Translate app running on your smartphone.
Now that you’re ready with the correct hardware, you’ll need to activate Google Assistant from the Pixel Buds by pressing the right earbud and saying, “OK, Google, help me speak” followed by the language of your choice. You’ll notice on your phone that Google Translate is now up and ready to help you translate.
If you’re speaking English and the other person is speaking another language, you’ll need to have that person speak into your Pixel or Pixel 2 phone. With Google Translate activated, the other person will speak through the Pixel phone in her or her language and you’ll be talking through the earbuds. Along the way, Google Translate is translating what you’re saying on the fly to each other.
The Google translation feature comes free, as well as Google Translate. But to get it up and running, you’ll need to be living in Google’s ecosystem.
European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.
The document developed as a deterrent to provocations by nation states like Russia and North Korea, will declare that member states may respond to online attacks with conventional weapons “in the gravest circumstances.”
This framework on a joint EU diplomatic response to malicious cyber activities would seem to raise the stakes significantly on state-sponsored attacks, especially those focused on critical infrastructure.
UK security minister Ben Wallace claimed last week that the UK government is “as sure as possible” that North Korea was behind the WannaCry ransomware attacks in May that crippled over a third of NHS England, forcing the cancellation of thousands of operations and appointments.
The problem is that definitive attribution in cyberspace is very difficult, making the framework appear largely symbolic.
It brings the EU in line with NATO policy in the past, establishing cyber as a legitimate military domain, meaning an online attack could theoretically trigger Article 5, the part of its treaty related to collective defense, which states that an attack on one member is an attack on all 29 allies.
McAfee chief scientist, Raj Samani, claimed the move was unsurprising considering WannaCry and the likely state-backed attacks on French and German elections.
“While it is important to define cyber-attacks that are used for espionage or disruption as they would be when committed by physical actors, the greatest challenge that countries have will be in identifying and proving that the malicious actors that caused the cyber-attack have direct links to governmental organizations – something that these groups will be even more keen to conceal going forward,” he added.”
I’m expecting the USA to follow with a similar statement, to function as an additional deterrent against the recent spate of Russian and North Korean incursions.
The vast majority of Russia’s attacks start with social engineering and spear phishing attacks. However, current investigations show that they also have been running paid propaganda campaigns through Facebook.
2018 Is Likely to Be a Worse Year for Ransomware Than 2017
Sophos released their 2018 malware forecast this week. Their predictions would make any IT Pro concerned, link to a PDF of their report below. Read on for your executive summary.
Ransomware Mutations Running Amok
You have seen a lot in this blog this year about the WannaCry and NotPetya ransomware strains. Both attacks exploited the EternalBlue Windows SMB vulnerability, and both did not have workable decryption mechanisms for the few organizations desperate enough to try to pay the ransom.
Both incidents make one thing clear: WannaCry and NotPetya appear to be the work of military cyber warfare divisions. Their authors aren’t script kiddies, but professional Dev teams using sophisticated techniques. Nation states are fighting a cold cyber war, and both commercial and non-profit organizations are the collateral damage worldwide.
RaaS Is for Newbie Cyber Crims
There is an area where amateur cyber “crims” do come in, and that’s Ransomware as a Service, aka RaaS. Newbies without l33t skills simply buy the code on the dark web including easy how-to videos.
Sophos says that RaaS is growing in popularity on the Dark Web, and this year’s Cerber ransomware is their example of a worrisome trend. Here’s some of what it says in the report that specifically pertains to RaaS:
“Ransomware is big business on the Dark Web. Its creators realized they could make more money not just by extorting currency from their victims, but by selling kits buyers could use to make and distribute their own. We’ve seen a number of different services and pricing models in the past year, and expect to see many more in 2018.
One of the biggest examples, as mentioned above, is Cerber. Other examples include Satan, malicious software that once opened in a Windows system, encrypts all the files and demands a ransom for the decryption tools, and Philadelphia. The latter was notable for its marketing technique, which included a slick YouTube video advertisement on the open web.”
New “Marketing” Techniques
Sophos reports on an additional ransomware trend they found in a malware strain called Spora. Instead of demanding one ransom to decrypt an entire encrypted drive or partition, some ransomware offers victims multiple options. The options seen in Spora are:
Decrypt two files for nothing
Decrypt a selection of files for 30.00 dollars
Have the ransomware itself removed for 20.00 dollars
Buy what they call immunity for 50.00 dollars
Get everything on the computer restored for 120.00 dollars
Ransomware Is Now Targeting Non-Win OSen
September 2013 was when CryptoLocker reared its ugly head as the first weapons-grade ransomware that exclusively targeted Windows, which remains Target No. 1.
But Sophos notices a trend of ransomware targeting non-Windows operating systems. I would not be surprised if in 2018 a worldwide MacOS or Linux distro ransomware pandemic broke out.
Ransomware is also growing rapidly on Android. Sophos reported that the prevalence of Android ransomware has grown almost every month in 2017; 30.4% of the Android malware researched in September 2017 by Sophos was ransomware, and they expect that 45% of all Android malware in October was ransomware.
One of the biggest Android ransomware stories broke this October: DoubleLocker. Looks like Android ransomware is going to be a bigger problem in 2018.
Healthcare Continues to Be a Target.
Many cyber criminals are specifically targeting the healthcare industry. Sophos states this trend started in 2016. Healthcare is the single most targeted industry because they are the victims who are most likely to pay ransoms. The Sophos report shows that critical infrastructure, education and small businesses also are often targeted for ransomware attacks, as they’re more likely to pay up as well.
Between April 1st and October 3rd, Sophos notes that the top four countries for ransomware victims are the United States (17.2%), Great Britain (11.1%), Belgium (8.6%), and Singapore (6.5%.) And of course neither Ukraine or Russia even show up in the Top 16, because that’s where these organized cyber crime gangs are, and they know that FSB (KGB) swat teams will knock down their doors if they target these countries.
Following the initial outbreak, there was some confusion about what exactly Bad Rabbit is. Now the initial panic has died down, however, it’s possible to dig down into what exactly is going on.
1. The cyber-attack has hit organisations across Russia and Eastern Europe
Organisations across Russian and Ukraine — as well as a small number in Germany, and Turkey — have fallen victim to the ransomware. Researchers at Avast say they’ve also detected the malware in Poland and South Korea.
Russian cybersecurity company Group-IB confirmed at least three media organisations in the country have been hit by file-encrypting malware, while at the same time Russian news agency Interfax said its systems have been affected by a “hacker attack” — and were seemingly knocked offline by the incident.
Other organisations in the region including Odessa International Airport and the Kiev Metro also made statements about falling victim to a cyber-attack, while CERT-UA, the Computer Emergency Response Team of Ukraine, also posted that the “possible start of a new wave of cyberattacks to Ukraine’s information resources” had occurred, as reports of Bad Rabbit infections started to come in.
“The total prevalence of known samples is quite low compared to the other “common” strains,” said Jakub Kroustek, malware analyst at Avast.
2. It’s definitely ransomware
Those unfortunate enough to fall victim to the attack quickly realised what had happened because the ransomware isn’t subtle — it presents victims with a ransom note telling them their files are “no longer accessible” and “no one will be able to recover them without our decryption service”.
Victims are directed to a Tor payment page and are presented with a countdown timer. Pay within the first 40 hours or so, they’re told, and the payment for decrypting files is 0.05 bitcoin — around $285. Those who don’t pay the ransom before the timer reaches zero are told the fee will go up and they’ll have to pay more.
The encryption uses DiskCryptor, which is open source legitimate and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key.
3. It’s based on Petya/Not Petya
If the ransom note looks familiar, that’s because it’s almost identical to the one victims of June’s Petya outbreak saw. The similarities aren’t just cosmetic either — Bad Rabbit shares behind-the-scenes elements with Petya too.
Analysis by researchers at Crowdstrike has found that Bad Rabbit and NotPetya’s DLL (dynamic link library) share 67 percent of the same code, indicating the two ransomware variants are closely related, potentially even the work of the same threat actor.
4. It spreads via a fake Flash update on compromised websites
The main way Bad Rabbit spreads is drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites — some of which have been compromised since June — are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.
5. It can spread laterally across networks…
Much like Petya, Bad Rabbit comes with a potent trick up its sleeve in that it contains an SMB component which allows it to move laterally across an infected network and propagate without user interaction, say researchers at Cisco Talos.
What aids Bad Rabbit’s ability to spread is a list of simple username and password combinations which it can exploit to brute-force its way across networks. The weak passwords list consists of a number of the usual suspects for weak passwords such as simple number combinations and ‘password’.
When Bad Rabbit first appeared, some suggested that like WannaCry, it exploited the EternalBlue exploit to spread. However, this now doesn’t appear to be the case.
“We currently have no evidence that the EternalBlue exploit is being utilized to spread the infection,” Martin Lee, Technical Lead for Security Research at Talos told ZDNet.
7. It may not be indiscriminate
At the same point following the WannaCry outbreak, hundreds of thousands of systems around the world had fallen victim to ransomware. However, Bad Rabbit doesn’t appear to indiscriminately infecting targets, rather researchers have suggested that it only infects selected targets.
Meanwhile, researchers at ESET say instructions in the script injected into infected websites “can determine if the visitor is of interest and then add content to the page” if the target is deemed suitable for infection.
However, at this stage, there’s no obvious reason why media organisations and infrastructure in Russia and Ukraine has been specifically targeted in this attack.
8. It isn’t clear who is behind it
At this time, it’s still unknown who is distributing the ransomware or why, but the similarity to Petya has led some researchers to suggest that Bad Rabbit is by the same attack group — although that doesn’t help identify the attacker or the motive either, because the perpetrator of June’s epidemic has never been identified.
What marks this attack out is how it has primarily infected Russia – Eastern Europe cybercriminal organisations tend to avoid attacking the ‘motherland’, indicating this unlikely to be a Russian group.
9. It contains Game of Thrones references
Whoever it behind Bad Rabbit, they appear to be a fan of Game of Thrones: the code contains references to Viserion, Drogon, and Rhaegal, the dragons which feature in television series and the novels it is based on. The authors of the code are therefore not doing much to change the stereotypical image of hackers being geeks and nerds.
10. You can protect yourself against becoming infected by it
At this stage, it’s unknown if it’s possible to decrypt files locked by Bad Rabbit without giving in and paying the ransom – although researchers say that those who fall victim shouldn’t pay the fee, as it will only encourage the growth of ransomware.
A number of security vendors say their products protect against Bad Rabbit. But for those who want to be sure they don’t potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file ‘c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.’ in order to prevent infection.
Reaper is on track to become one of the largest botnets recorded in recent years — and yet nobody seems to know what it will do or when. But researchers say the damage could be bigger than last year’s cyberattack.
A little over a month ago, a sizable botnet of infected Internet of Things devices began appearing on the radar of security researchers.
Now, just weeks later, it’s on track to become one of the largest botnets recorded in recent years.
The botnet, dubbed “Reaper” by researchers at Netlab 360, is said to have ensnared almost two million internet-connected webcams, security cameras, and digital video recorders (DVRs) in the past month, says Check Point, which also published research, putting its growth at a far faster pace than Mirai.
It was Mirai that caused a massive distributed denial-of-service (DDoS) attack last October, knocking popular websites off the internet for millions of users. The collective bandwidth from the huge number of “zombie devices” that were infected and enslaved was directed at Dyn, an internet infrastructure company, which overloaded the company’s systems and prevented millions from accessing popular websites.
Mirai was “beautifully simple,” said Ken Munro, a consultant at UK-based security firm Pen Test Partners. The malware would scan the internet and infect connected devices with default usernames and passwords, which either weren’t or couldn’t be changed by the owner.
Reaper, however, “is what Mirai could easily have been,” said Munro. It takes a slightly different, more advanced approach by quietly targeting and exploiting known vulnerabilities in devices and injecting its malicious code, effectively hijacking the device for whenever the botnet controller is ready to issue their commands. Each time a device is infected, the device spreads the malware to other vulnerable devices — like a worm.
Mirai aggressively ran each device against a list of known usernames and passwords, but Reaper is “not very aggressive,” said Netlab.
By targeting a known vulnerability, the botnet can swiftly take control of a device without raising any alarms.
“One of the reasons Mirai didn’t achieve its full potential is that the compromise didn’t persist beyond a reboot,” said Munro. “Hence, multiple botnet herders were competing for control of the compromised DVRs that comprised it, so the huge botnet it could have been was never built,” he said.
Not only has the botnet gained in size in the past month — it’s growing in capability. New exploits have been added to the botnet’s arsenal regularly in recent days, said Netlab. Check Point said 33 devices are vulnerable to attack so far. Researchers have also noted that several known, easy-to-exploit vulnerabilities have not been added to the botnet, raising questions about why some exploits have been added and not others.
But what’s thrown researchers is that nobody can figure out what the botnet is for.
While the Mirai botnet was a point-and-shoot botnet that could be used to hose systems with vast amounts of bandwidth, Reaper can be used to run complex attack scripts on infected devices. Reaper’s command and control infrastructure is also growing in size, accommodating more infected devices by the day. Netlab said 10,000 bots were under the wing of just one command and control server.
So far, there haven’t been any signs of DDoS attacks yet. The botnet creator (“it appears that one group or individual has control of most of it,” said Munro), is focusing on building the botnet’s size. As it stands, Reaper’s size today could be capable of “creating significantly more DDoS traffic than Mirai,” said Munro.
It’s not the first time botnets of a massive scale have crept up on security researchers.
A breakdown of the Reaper botnet shows that the malware that infects devices allows the botnet owner to remotely execute code on each device, said Alan Woodward, a professor at the University of Surrey. But because each device has such little individual computational power, the code running on each device would have to be harnessed collectively for a larger, coordinated computing task, he said.
That could be anything from a DDoS on an internet target, to a much larger kind of attack.
“The aggregation of large numbers of the same Internet of Things (IoT) device leads to systemic issues,” said Munro. “When it’s one device affecting one home, it’s irritating for the consumer, but when it’s a million devices, deeper problems arise.”
“For example, any IoT device that switches a lot of electrical power gives rise to potential to affect the electricity grid,” he said.
“Whether it’s a smart kettle, a smart thermostat switching your air conditioning or solar panels — all switch power,” he said. “Trigger a million devices that switch 3kW concurrently and the power grid fails.”
What happens next is anybody’s guess.
“Everyone is expecting it to pounce, but so far nothing,” said Woodward. There isn’t much that consumers or device owners can do, except patch any affected devices they may own and carry out a factory reset.
Given that device owners are at the mercy of the manufacturers to release patches — many of which haven’t learned much from the Mirai attack and still don’t take security seriously — many may find that simply pulling the plug on each and every affected device might be the only way to dismantle the botnet.
With enough amassed firepower to be larger and stronger than Mirai, the question isn’t necessarily what the botnet will do.
“The question is whether it gets used in anger,” said Munro.
Editor’s note: October is Cybersecurity Awareness Month, and we’re celebrating with a series of security announcements this week.
Security has always been one of Chrome’s core principles—we constantly work to build the most secure web browser to protect our users. Two recent studies concluded that Chrome was the most secure web browser in multiple aspects of security, with high rates of catching dangerous and deceptive sites, lightning-fast patching of vulnerabilities, and multiple layers of defenses.
About a year ago, we announced that we would begin marking all sites that are not encrypted with HTTPS as “not secure” in Chrome. We wanted to help people understand when the site they’re on is not secure, and at the same time, provide motivation to that site’s owner to improve the security of their site. We knew this would take some time, and so we started by only marking pages without encryption that collect passwords and credit cards. In the next phase, we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
It’s only been a year, but HTTPS usage has already made some incredible progress.
64 percent of Chrome traffic on Android is now protected, up from 42 percent a year ago.
Over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on Chrome OS a year ago
71 of the top 100 sites on the web use HTTPS by default, up from 37 a year ago
We’re also excited to see HTTPS usage increasing around the world. For example, we’ve seen HTTPS usage surge recently in Japan; large sites like Rakuten, Cookpad, Ameblo, and Yahoo Japan all made major headway towards HTTPS in 2017. Because of this, we’ve seen HTTPS in Japan surge from 31 percent to 55 percent in the last year, measured via Chrome on Windows. We see similar upward trends in other regions—HTTPS is up from 50 percent to 66 percent in Brazil, and 59 percent to 73 percent in the U.S.!
Ongoing efforts to bring encryption to everyone
HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. There’s never been a better time to get your site secured by Spearhead Multimedia
With the release of Chrome 62, Google will mark any website with an insecure form “Not Secure.”
If you haven’t added SSL to your website, you may want to—an important deadline is coming up. Starting in October with the release of Chrome 62, Google will be marking any website with an insecure form “Not Secure.” This isn’t just a warning for pages with an insecure login/password field, now it’s any field—anywhere a user can input information.
This is keeping with Google’s push for universal encryption. The company has continued to ramp up pressure for websites to add SSL. And Google doesn’t plan to stop at just warning Chrome users about insecure forms, either. Google plans to roll out a warning for all HTTP websites sometime in 2018.
So heed this warning, if your website is anything more than a blog or a personal website, you need to encrypt. Whether you’re just collecting an email address as part of a capture strategy or you’ve got a signup form somewhere, you’ll be sorry if you don’t secure it before Chrome 62 drops in October.
“Not Secure” warnings kill conversions
Nothing is going to kill your conversion rate faster than Google placing a “Not Secure” warning in your address bar or drop an interstitial warning when a customer attempts to type in one of your website’s fields.
And it’s not just Google, the other browsers are also adopting similar policies with regard to encryption and insecure websites.
Think about it, people tend to trust their browsers. When one of them tells a user that he or she is not safe on a website, the vast majority of people are going to leave. Nobody is sitting at their computer saying, “this seems like a worthwhile risk to take.”
So remember, if your website has any forms on it—install SSL. Waiting until Google flags your website is playing with fire. It’s time to add SSL. Contact us today for a free evaluation to provide your site the correct level of security for a reasonable price.
When an inexperienced person attempts to build a website, this can easily happen.
The old adage, “You get what you pay for.” came into play recently when a potential client contacted us after deciding to let some cheapo “web developers” build her site. They not only built a horribly bad looking, difficult to navigate site, they did nothing for security. The result: A site that is now distributing malware. To top it off, it’s hosted on GoDaddy antique servers and probably infiltrating even deeper. There are certain things of which you should not take the cheap route, you’ve all heard it before. When you cheap with how you represent yourself and/or your business, it never does anyone any good. Buy smart, do your research.